Recently patched security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software have been leveraged by China and Nexus threat actors to target a wide range of sectors in Europe, North America and Asia-Pacific regions.
Vulnerabilities tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2) can be chained to execute arbitrary code on vulnerable devices without requiring authentication. They were addressed by Ivanti last week.
Currently, according to an EclecticIQ report, the vulnerability chain has been abused since at least 2023 by UNC5221, a Chinese cyberspy group known for targeting Edge Network appliances.
The Dutch cybersecurity company said the early exploitation activities date back to May 15, 2025, with attacks targeting healthcare, telecommunications, aviation, local government, finance and defense sectors.
“The UNC5221 demonstrates a deeper understanding of the internal architecture of EPMM and reuse legal system components for secret data delamination,” said security researcher Arda Büyükkaya. “Given the role of EPMM in managing and pushing configurations to enterprise mobile devices, successful exploitation allows threat actors to remotely access, manipulate, or compromise thousands of managed devices across their organization.”
The attack sequence targets the “/MIFS/RS/API/V2/” endpoint, obtains an interactive reverse shell, and executes any command remotely in Ivanti EPMM deployment. This is followed by the deployment of KrustyLoader, a known rust-based loader due to UNC5221 that allows for the delivery of additional payloads like Sliver.
It has also been observed that threat actors are targeting MIFS databases by using hard-coded MySQL database credentials stored in /mi/files/system/system/system/.mifpp.
Additionally, incidents are characterized by using obfuscated shell commands for host reconnaissance before dropping KrustyLoader from AWS S3 buckets and Fast Inverse Proxy (FRP) to promote network reconnaissance and lateral movement. It is worth mentioning here that FRP is an open source tool that is widely shared among Chinese hacking groups.
Eclecticiq said it also identified a command and control (C2) server associated with Auto-Color, a Linux backdoor documented by Palo Alto Networks Unit 42, which has been used in attacks targeting universities and Asian organizations in North America and Asia between November and December 2024.
“The IP address 146.70.87(.) 67:45020, previously associated with the auto-colored command and control infrastructure, was seen to issue outbound connectivity tests via CURL immediately after using the Ivanti EPMM server,” pointed out Bükkaya. “This behavior is consistent with the auto-colored staging and beacon patterns. These indicators are highly likely to link to China and Nexus activities.”
This disclosure is made as it states that it witnessed a significant surge in scan activities targeting Ivanti Connect’s secure and pulse-secure products prior to disclosure of CVE-2025-4427 and CVE-2025-4428.
“While the scans we observed were not directly linked to EPMM, the timeline highlights a significant reality. Scanning activities often precede the public emergence of zero-day vulnerabilities,” the company said. “This is a key indicator. It’s a signal that attackers are investigating potentially important systems in preparation for future exploitation.”
